Step 3: Installing and Configuring AD FS

Updated: January 18, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

Now that you have configured the computers that will be used as federation servers, you are ready to install Active Directory Federation Services (AD FS) components on each of the computers. This section includes the following procedures:

Use one of the following sections to install the Federation Service component of AD FS on the ADFS-RESOURCE computer and the ADFS-ACCOUNT computer depending on the requirements in your organization. After the Federation Service is installed on a computer, that computer becomes a federation server.

If you are running Windows Server 2003 R2 Enterprise Edition on ADFS-RESOURCE and ADFS-ACCOUNT, use the following procedure to add the federation service. You must have a Secure Sockets Layer (SSL) certificate installed on the computer before adding the federation service.

In the Active Directory Federation Services (ADFS) dialog box, select the Federation Service check box, and then click OK. If Microsoft ASP.NET 2.0 was not previously enabled, click Yes to enable it, and then click OK.

In the Active Directory Services dialog box, click OK.

In the Windows Components Wizard, click Next.

On the Federation Service page, click the Select token certificate option, and select the certificate that should be used as the token signing certificate.

Under Trust policy, click Create a new trust policy, and then click Next.

If you are prompted for the location of the installation files, insert the Windows Server 2003 R2 Enterprise Edition product disc, and then click OK.

On the Completing the Windows Components Wizard page, click Finish.

Log on to ADFS-ACCOUNT as TREYRESEARCH\ADFSADMIN.

Repeat steps 2–12 for the ADFS-ACCOUNT computer using the TREYRESEARCH\ADFSADMIN user account.

The ADFS-ACCOUNT computer is a member of the TREYRESEARCH domain and forwards AD RMS requests to the CPANDL domain. In this section, you configure the AD FS trust policy, create a custom claim for the ProxyAddresses Active Directory attribute, add an Active Directory Account Store, and add and configure a resource partner.

First, configure the ADFS-ACCOUNT computer trust policy for the federation service in the TREYRESEARCH domain.

Right-click Organization Claims, point to New, and then click Organization Claim.

In the Claim name box, type ProxyAddresses.

Note

The claim name value is case-sensitive.

Select the Custom claim option, and then click OK.

Important

Great care should be taken when allowing proxy addresses through a federated trust. If proxy addresses through federation are allowed, it is possible for a malicious user to spoof an authorized user's credentials and access the user's rights-protected content. If proxy addresses through federation is a requirement of your organization, you should implement a claims transformation module that will examine a proxy address from a federated user and make sure that it matches the forest in which the request originated. The option to allow a proxy address from a federated user is turned off by default in the Active Directory Rights Management Services console.

Next, add an Active Directory account store to the Federation Service for the TREYRESEARCH domain.

The ADFS-RESOURCE computer is a member of the CPANDL domain and receives AD RMS requests from the TREYRESEARCH domain. In this section, you configure the AD FS trust policy, create a custom claim for the ProxyAddresses Active Directory attribute, add an Active Directory Account Store, add AD RMS as a Claims-aware application, and configure a resource partner.

First, configure the ADFS-RESOURCE computer trust policy for the federation service in the CPANDL domain.

On the Application Type page, select the Claims-aware application option, and then click Next.

In the Application display name box, type AD RMS Certification.

In the Application URL box, type https://adrms-srv.cpandl.com/_wmcs/certificationexternal/, and then click Next.

Note

The application URL is case sensitive and the name of the AD RMS extranet cluster should match the return URL value of the ADRMS-SRV computer exactly. If the values do not match, AD FS functionality will not work.

On the Accepted Identity Claims page, select the User principal name (UPN) and E-mail check boxes, and then click Next.

On the Enable this Application page, select the Enable this application check box, and then click Next.

On the Completing the Add Application Wizard page, click Finish.

In the task pane, double-click ProxyAddresses, select the Enabled check box, and then click OK.

Use the following procedure to add the AD RMS licensing pipeline as a claims-aware application.

On the Application Type page, select the Claims-aware application option, and then click Next.

In the Application display name box, type AD RMS Licensing.

In the Application URL box, type https://adrms-srv.cpandl.com/_wmcs/licensingexternal/, and then click Next.

Note

The application URL is case sensitive and the computer name in the URL should match the return URL value of the ADRMS-SRV computer exactly. If the values do not match, AD FS functionality will not work.

On the Accepted Identity Claims page, select the User principal name (UPN) and E-mail check boxes, and then click Next.

On the Enable this Application page, click the Enable this application check box, and then click Next.

On the Completing the Add Application Wizard page, click Finish.

In the task pane, double-click ProxyAddresses, click the Enabled check box, and then click OK.

Next, add an account partner to ADFS-RESOURCE. This account partner receives requests from the ADFS-ACCOUNT computer in the TREYRESEARCH domain.